A014 - CMMC 2.0 Requirements Explained

CMMC NIST defense cybersecurity

by SigmaSRC Team

CMMC 2.0 Requirements Explained: Complete Guide for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is mandatory for Department of Defense contractors. This guide explains the requirements, levels, and how to prepare for certification.

What is CMMC 2.0?

CMMC 2.0 is the DoD's framework for assessing and certifying the cybersecurity practices of contractors in the Defense Industrial Base (DIB). It replaces the self-attestation model with verified assessments for organizations handling Controlled Unclassified Information (CUI).

Key Changes from CMMC 1.0

Aspect CMMC 1.0 CMMC 2.0
Levels 5 levels 3 levels
Practices 171 unique practices Aligned to NIST 800-171/172
Third-Party Assessment All levels Level 2 and some Level 1
Self-Assessment Not allowed Allowed for Level 1 and some Level 2
POA&M Not allowed Limited allowance

CMMC 2.0 Levels

Level 1: Foundational

Who Needs It: Contractors with Federal Contract Information (FCI) only

Requirements:

  • 17 practices from FAR 52.204-21
  • Basic cyber hygiene
  • Self-assessment (annual)

Assessment:

  • Annual self-assessment
  • Affirmation in SPRS
  • No third-party required

Level 2: Advanced

Who Needs It: Contractors handling Controlled Unclassified Information (CUI)

Requirements:

  • All 110 NIST SP 800-171 requirements
  • Good cyber hygiene practices
  • Documentation (SSP, POA&M)

Assessment:

  • Third-party assessment by C3PAO (for prioritized acquisitions)
  • Self-assessment (for non-prioritized acquisitions)
  • Triennial certification

Level 3: Expert

Who Needs It: Highest-priority programs with significant CUI

Requirements:

  • NIST SP 800-171 + selected 800-172 requirements
  • Advanced cybersecurity practices
  • Expert-level security

Assessment:

  • Government-led assessment (DIBCAC)
  • Triennial certification

NIST 800-171 Control Families

Level 2 requires implementing all 110 requirements across 14 control families:

  1. Access Control (22 requirements)
  2. Awareness and Training (3 requirements)
  3. Audit and Accountability (9 requirements)
  4. Configuration Management (9 requirements)
  5. Identification and Authentication (11 requirements)
  6. Incident Response (3 requirements)
  7. Maintenance (6 requirements)
  8. Media Protection (9 requirements)
  9. Personnel Security (2 requirements)
  10. Physical Protection (6 requirements)
  11. Risk Assessment (3 requirements)
  12. Security Assessment (4 requirements)
  13. System and Communications Protection (16 requirements)
  14. System and Information Integrity (7 requirements)

Steps to CMMC Compliance

1. Determine Your Level

  • FCI only → Level 1
  • CUI → Level 2
  • High-priority CUI → Level 3

2. Scope Your Environment

  • Identify where CUI is processed, stored, or transmitted
  • Document your CUI boundary
  • Consider enclave strategies to limit scope

3. Conduct Gap Assessment

  • Assess current state against requirements
  • Identify gaps and deficiencies
  • Prioritize remediation

4. Develop SSP and POA&M

  • Document your System Security Plan
  • Create Plan of Action and Milestones for gaps
  • Maintain living documents

5. Implement Controls

  • Address gaps systematically
  • Deploy technical and administrative controls
  • Train personnel

6. Prepare for Assessment

  • Gather evidence
  • Conduct internal assessment
  • Address findings

7. Complete Assessment

  • Self-assessment or C3PAO assessment
  • Submit to SPRS
  • Maintain certification

CMMC Timeline

  • CMMC in Contracts: Phased rollout beginning 2025
  • Full Implementation: Expected by 2026
  • Preparation Time: 12-24 months recommended

Common Challenges

Scoping CUI

Many organizations struggle to identify all CUI flows. Conduct thorough data flow mapping.

POA&M Limitations

CMMC 2.0 allows limited POA&Ms but not for all controls. Critical controls must be fully implemented.

Supply Chain Flow-Down

Primes must ensure subcontractors meet requirements. Plan for flow-down early.

Resource Constraints

Small businesses face significant compliance burden. Consider managed security services.

How SigmaSRC Helps

SigmaSRC accelerates CMMC compliance with:

  • NIST 800-171 Mapping - All 110 requirements pre-mapped
  • Continuous Monitoring - Real-time compliance status
  • Evidence Collection - Automated audit evidence
  • SPRS Score Tracking - Monitor your score improvement
  • Assessment Readiness - Prepare for C3PAO assessments

Related Resources

Previous Post Next Post